I somehow get an 403 forbidden on a post request. I am currently learning spring using "Spring in Action" and the chapter was about security.
Though I am not sure if my security setup is causing this problem.
#Spring forbidden request
stable adder
rigid marshBOT
<@&1004656351647117403> please have a look, thanks.
stable adder
I have this form:
that is at /design
this is my controller for it:
@Slf4j
@Controller
@RequestMapping("/design")
@SessionAttributes("tacoOrder")
public class DesignTacoController {
private final IngredientRepository ingredientRepository;
@Autowired
public DesignTacoController(IngredientRepository ingredientRepository) {
this.ingredientRepository = ingredientRepository;
}
@ModelAttribute("ingredients")
public Map<Type, List<Ingredient>> ingredients() {
return StreamSupport.stream(ingredientRepository.findAll().spliterator(), false)
.collect(Collectors.groupingBy(Ingredient::getType));
}
@ModelAttribute("tacoOrder")
public TacoOrder order() {
return new TacoOrder();
}
@ModelAttribute("taco")
public Taco taco() {
return new Taco();
}
@GetMapping
public String showDesignForm() {
return "design";
}
@PostMapping
public String processTaco(@Valid Taco taco, Errors errors, @ModelAttribute TacoOrder order) {
if (errors.hasErrors()) {
return "design";
}
order.addTaco(taco);
log.info("Processing taco: {}", taco);
return "redirect:/orders/current";
}
}
the get request works fine
this is my corresponding html:
<body>
<div>
<img class="logo" th:src="@{/images/TacoCloud.png}" alt="logo">
<h1 class="title">Design your taco!</h1>
</div>
<form class="centered" method="POST" th:object="${taco}">
<div class="ingredients">
<div class="ingredient-type" th:each="element : ${ingredients}">
<h2 th:text="${#strings.capitalizeWords(element.key.name().toLowerCase())}"></h2>
<div class="ingredient" th:each="ingredient : ${element.value}">
<input th:field="*{ingredients}" type="checkbox" th:value="ingredient.id" th:id="${ingredient.id}">
<label th:text="${ingredient.name}" th:id="${ingredient.id}"></label>
</div>
</div>
</div>
<div class="naming">
<h3>Name your Taco creation:</h3>
<input class="text-input" type="text" th:field="*{name}">
<br>
<div th:if="${#fields.hasErrors('name')}">
<span class="validation-error" th:errors="*{name}"></span>
<br>
</div>
<div th:if="${#fields.hasErrors('ingredients')}">
<span class="validation-error" th:errors="*{ingredients}"></span>
<br>
</div>
</div>
<button th:action="@{/design}">Submit Your Taco</button>
</form>
</body>
when I click on the button it is supposed to make a post request to trigger the controller post mapping
but I get this instead
I also noticed it redirects to /design?continue, not sure what the reason for that is
this is my security config:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http.authorizeHttpRequests(requests -> {
requests.requestMatchers("/design", "/orders").hasRole("USER")
.requestMatchers("/", "/**").permitAll();
}).formLogin(configurer -> {
configurer.loginPage("/login")
.defaultSuccessUrl("/design");
}).build();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public UserDetailsService userDetailsService(UserRepository userRepository) {
return username -> {
User user = userRepository.findByUsername(username);
if (user != null) {
return user;
}
throw new UsernameNotFoundException("User '" + username + "' not found");
};
}
}
I am especially not sure about this part:
requests.requestMatchers("/design", "/orders").hasRole("USER")
though the /design role check works
but just post requests (at /design) generally failing
btw it never runs the PostMapping method in the controller, I tried checking with debugger
based on this I disabled csrf
and that fixed it
but why?
what is csrf?
and why does it block normal requests?
ah well
the book actually talks about this some pages later
give me a sec
ok I now understand lmao